This proposal proposes development of PURSUIT, a cross-domain intrusion detection and prevention system that relies upon state-of-the-art privacy-preserving distributed data mining (PPDM) technology. PURSUIT has a distributed multi-agent architecture that supports formation of ad-hoc collaborative coalitions with due attention to security and privacy issues. PURSUIT's foundation is based on different PPDM techniques such as k-ring of privacy, secured multi-party computation, and randomized transformations that allow privacy-sensitive sharing of attack patterns, not the raw data. This project will be performed by Agnik, Tresys, and University of Minnesota Army High Performance Computing research Center. The Agnik team has a strong track record in distributed and privacy preserving data mining. Tresys is a security company with strong record in working with many governmental agencies dealing with national security. The UMN team has a strong record in building intrusion detection systems, including the MINDS system. Since the PURSUIT links up available intrusion detection and prevention systems, it has the commercial potential to be marketed to all organizations that currently use such systems. An early PURSUIT coalition has already been set up and it includes organizations such as University of Illinois, SRI International, Purdue University, Ohio State University, and Stevens Institute of Technology.

Company

CounterStorm Inc.
15 W. 26th Street
7th Floor
New York, NY
10010-1002

Proposal Information

0423005 - Cross-domain security alert sharing: Worminator

Topic Information

H-SB04.2-001 - Cross-Domain Attack Correlation Technologies

Award/Contract Number

NBCHC050144

Abstract

This proposal by CounterStorm, Inc. (formerly System Detection) concerns the second phase of research, development, and commercial release of Worminator, an innovative and effective approach to anonymously sharing and correlating security information in real-time. The overriding principle of Worminator is that cross-domain collaboration enhances accuracy and efficacy by enabling rapid detection of worms, zero-day exploits, and slow-and-stealthy attacks currently undetected by existing products. The overarching goal of this Phase 2 effort is to fully incorporate the Worminator technology into CounterStorm`s AntiWorm-1 commercial security product, providing an effective defense against emerging threats. CounterStorm`s Phase 1 effort oversaw the successful development and deployment of the first-generation Worminator architecture at commercial and academic sites. Using Worminator to correlate alerts from CounterStorm's Surveillance Detection Engine, we demonstrated a dramatic reduction in the alert stream, yielding a manageable number of actionable alarms. This Phase 2 effort is organized into four components. First, we will extend Worminator`s collaboration capabilities beyond the sharing of attack source addresses. As a part of this effort, we will integrate Worminator with CounterStorm's Payload Anomaly Sensor (PAYL is the topic of another SBIR Phase 2 proposal). PAYL and Worminator together provide real-time sharing of automatically-generated content signatures to inoculate collaborating sites against attack. Second, we aim to support anonymous collaboration. Third, we plan a fully commercialized implementation of Worminator as an extension of CounterStorm's AntiWorm-1 architecture. Finally, in collaboration with Columbia University, we plan to conduct a comprehensive study of real-world attack behaviors over time, including coverage, response rates, and efficiency under different exchange algorithms. Incorporation of the Worminator technology enhances AntiWorm-1 by allowing rapid and anonymous sharing and correlation of threat information in real time, thus giving sites the ability to block malicious activity before it is seen locally.

In Phase I Solidcore Inc developed new techniques for malware identification, by extending existing Solidcore technology (which traps malicious software when it attempts to execute on an end-system) to perform real-time analytics and dissemination of analyses, for both previously known and previously unknown exploits. Phase I efforts focused on three accomplishments:
1)Analysis of not only the malicious software itself in situ but also the network packets that delivered the software to the end-system and the protocol payload in which the malware was embedded; 2)Use of the results of the analysis to generate information that can be used by existing conventional network security devices to detect or block network traffic that carries the malicious software; 3) Dissemination of the information to existing security devices that can then use existing mechanisms to filter the malware out of network traffic;
We propose to productize these results in a Phase II project that includes matchable funding from our development partner IBM, enabling the use of Fast Track matching funds for Phase II. This proposal describes a work plan for additional technology development and integration with other commercial products as well as development of milestones, productization plans, schedules, and lab and field trails.

Company

CounterStorm Inc.
15 W. 26th Street
7th Floor
New York, NY
10010-1002

Proposal Information

0423004 - Packet Content Payload Anomaly Detection

Topic Information

H-SB04.2-002 - Real-Time Malicious Code Identification

Award/Contract Number

NBCHC050142

Abstract

This proposal by CounterStorm Inc. (formerly System Detection) concerns the second phase for research, development and commercial release of a novel method to detect malicious code exploits in network traffic. The successful Phase 1 project led to several new innovations and improvements, and commercial development is under way. The PAYL Payload Anomaly Detection sensor will be completely implemented in the CounterStorm AntiWorm-1 product platform and introduced to commercial and government sites. New features of the PAYL anomalous payload detection sensor created under Phase 1 funding demonstrated highly accurate detection and generate signatures for zero-day worm exploits. Experimental evidence demonstrated that "site-specific models" trained and used for testing by PAYL can detect new worms with high accuracy in a collaborative security system. In Phase 2 we continue to build on a new approach that correlates ingress/egress payload alerts to identify the worm's initial propagation.
The method also enables automatic signature generation very early in the worm's propagation stage. These signatures can be deployed immediately to network firewalls and content filters to proactively protect other hosts. Tests and evaluations of sensor performance are also proposed for Phase 2. Collaborative research and development by CounterStorm and Columbia University will address several basic problems dealing with handling encrypted content traffic and scaling the sensor to high speed network rates. Significant engineering activities are needed to embed solutions to these performance issues into the CounterStorm AntiWorm-1 Platform. The speed of gigabit networks strains the limits of what can be detected in real-time, especially when decrypting content flows. There are currently no Commercial Off-the-Shelf (COTS) solutions offered today that provide highly efficient content-based anomaly detectors operating on high-speed networks without packet loss. By overcoming these obstacles, we can provide the first effective content-based anomaly detection system to secure high speed networks. The CounterStorm AntiWorm-1 platform with PAYL technology improves accuracy for all worm detection and blocking. More importantly, PAYL facilitates the detection and blocking of non-scanning 'zero-day' worms, adding a significant layer of security to critical IT infrastructures for commercial and government entities.

Vortex Corporation, in partnership with the Water Quality Center and Prof Charles Gerba at the University of Arizona, proposes to address HSARPAs need for an effective replacement for chlorine in municipal water treatment. The proposed water disinfection system combines the synergistic effect of UV, Ozone and silver ions to produce drinking water to meet EPA requirements. In the Phase I program, a laboratory prototype device has been constructed and has been shown to meet or exceed EPA requirements for Primary and Secondary disinfection and Disinfection-by-product formation. In the Phase II, a larger scale, prototype system will be designed, built and tested on a group of homes at the Water Village at the University of Arizona. The Water Village, is an isolated group of homes with its own water treatment and water distribution system, Here, the prototype will be tested for its compliance with all EPA requirements; including Primary and Secondary Disinfection and Disinfection-by-Product Formation.

The objective of the research presented in this Phase II proposal is to extend and understand the success of the Phase I work and to conduct the work plans developed in the Phase I activities. The primary objective of this research is to develop answers that will remove barriers to implementation of on-site generation technology as a replacement for chlorine gas, and to provide scientific answers that will help implement application of on-site generated mixed-oxidants to a wider variety of water treatment applications.
The four areas of research will be Cryptosporidium parvum inactivation, oxidant speciation, electrolytic cell coating optimization, and biofilm removal.

Current methods of decontamination have shortcomings regarding their deployment. Cost of storage, requirement of personal protective equipment during its employment, related damage to substrates it is applied to, and clean-up costs are some relevant examples. This project aims to develop a wide-area TIC neutralization technology based on nanoparticles of mixed metal oxides and electrochemical methods. All components of the material are non-toxic, non-corrosive, thus this product is safe to use, and is friendly to the environment. This technology will provide an efficient means to neutralize chemicals and it will be easy to apply and will be cost effective. The proposed Phase II effort will build on the concept feasibility demonstrated in the Phase I work. In the Phase II, the formulation of the material and the operation mode of the TIC neutralization technology will be optimized, typical neutralization protocols will be developed, and commercially viable laboratory lab-scale demonstration will be conducted. This technology will benefit various government departments in their efforts against chemical terrorism. Commercial applications include treatment of chemical spills due to accidents at sites of industrial production and chemical storage facilities, and in transportation and distribution operations.

Company

Isotron Corporation
1443 N Northlake Way
Seattle, WA
98103-8994

Proposal Information

0422013 - Wide-area Toxic Industrial Chemical Decontamination

Topic Information

H-SB04.2-004 - Wide-Area TIC Neutralization

Award/Contract Number

D06PC75187 (formerly NBCHC050169)

Abstract

The purpose of this SBIR effort is the demonstration of concept and deployment of a novel method of large-scale decontamination of Toxic Industrial Chemicals (TICs). The Phase I effort demonstrated both neutralization and removal techniques for dealing with decontamination. The decontamination system couples a Strippable Vapor Encapsulation Coating ("ISOLOCK-VC") with a hybrid inorganic/organic decontamination sol-gel. In some cases, a two step decontamination process while in others, decontamination could be affected in one step. The Phase I effort successfully demonstrated Proof-of-Concept. This Phase II activity will advance the technology to field scale trials and pilot-scale production and will deliver at least two TIC neutralization protocols for wide-scale use.

H-SB04.2-005

H-SB04.2-005 - Innovative Techniques for Concealed Weapons or Explosive Detection at a Distance

Award/Contract Number

NBCHC050158

Abstract

This Phase II Small Business Innovation Research project is aimed at designing, assembling, and demonstrating an entirely new imaging system capable of detecting hidden weapons at standoff distances. Phase I of this program successfully identified critical terahertz atmospheric transmission windows with high precision, defined the best candidate imaging system, and carried out an analysis of this system resulting in detailed system performance predictions. Compact and efficient semiconductor terahertz quantum cascade lasers are currently being developed by several companies (including Spire) and laboratories, and will soon be commercially available. Using these laser sources as illuminators and local oscillators, a small and portable imaging system based on ultra-sensitive, room temperature, coherent heterodyne detection is proposed. Terahertz radiation, with its submillimeter wavelengths, is non-ionizing and low in energy, avoiding environmental safety issues. Working with the University of Massachusetts Lowell, Submillimeter Wave Technology Laboratory as a subcontractor, Phase II will involve (a) completion of the imager system design begun during Phase I, (b) assembly of a breadboard imaging system, and (c) demonstration and evaluation of the imaging system under simulated field conditions using representative or surrogate explosives and weapons. Commercialization of the imaging system will be carried out utilizing Spire's Biomedical manufacturing, marketing, and sales resources. The commercial availability of terahertz imaging systems will have a strong impact on homeland defense, military and police surveillance, biomedical technology, agricultural inspection, transportation security, analytical instruments, and high-resolution spectroscopy. Homeland defense and military applications include detection of hidden weapons and explosives, while biomedical applications include DNA identification and analysis, high resolution spectroscopy for organic material identification, discrimination between normal and cancer cells, and potential identification of other tissue abnormalities. Scientific applications include high-resolution spectroscopy for rapid identification of trace gasses of heavy molecules, including explosives and chemical weapons.

H-SB04.2-005 - Innovative Techniques for Concealed Weapons or Explosive Detection at a Distance

Award/Contract Number

NBCHC050168

Abstract

Terahertz (THz) radiation imaging and sensing is one of the most promising technologies for the standoff detection of concealed threats. In Phase I, Intelligent Optical Systems (IOS), in collaboration with the Center for Terahertz Research at Rensselaer Polytechnic Institute, demonstrated the feasibility of detecting explosives underneath cloth and packaging materials via the reflection of THz radiation. In Phase II, the collaboration will establish the distance limits for standoff detection of concealed explosives and weapons using state of the art THz sources and detectors. IOS will develop a unique, innovative, and powerful data fusion process to spatially resolve the location of threats detected by standoff THz reflection spectroscopy over a field of view, and to associate the threat with the corresponding person or object on a video display of the same field of view. Images from the standoff detection system will be obtained safely without the invasion of personal privacy. One Phase II product will be the integrated design of a THz spectrometer and data system capable of detecting and identifying threatening persons and objects from a distance as great as 50 meters. The potential benefits are enormous, and include saving lives and buildings. Commercial potential is in excess of $1Billion.

H-SB04.2-005 - Innovative Techniques for Concealed Weapons or Explosive Detection at a Distance

Award/Contract Number

NBCHC060005

Abstract

In this Phase II project Pharad proposes to develop and fabricate an engineering prototype concealed weapons detection system and test its weapon detection capability in a laboratory demonstration. The prototype system will incorporate the innovative electromagnetic technology for concealed weapons detection that we proposed and validated theoretically and experimentally in Phase I. Having successfully achieved our Phase I goals, our Phase II effort will further the development of the weapons detection system. Our novel technical solution for concealed weapons detection uses millimeter-wave signals to excite resonances in the target, creating a unique signature that can be used to characterize the object. Using such excitation signals, benefits such as increased resolution and reduced component size can be achieved. In addition, the EM signature of the target exhibits more features available for classifying the object. Our proposed Phase II effort comprises a number of hardware and software development activities including the implementation of the target detection algorithm, development of the prototype mm-wave sensor module hardware and software, and the development of the Central Station subsystem. In addition, we will test the prototype system in a laboratory demonstration, and deliver a prototype sensor to HSARPA along with the Central Station software.

The availability of a lightweight microclimate cooling system will dramatically improve performance and comfort for first-responders operating in HAZMAT environments. In this project, we will continue the development, testing and demonstration of adsorption-based microclimate cooling systems which can be configured for a range of first-responder mission profiles. The cooling system can provide 150 watts of cooling for a minimum of one hour and have a weight of 4-5 pounds. Cooling can be provided as either recirculating chilled water or dry air through a vest worn by the user.

Aspen Systems proposes to develop a unique state of the art miniature vapor compression cooling system for use by emergency first responders. The program is structured to include investigation and research into realistic user needs as part of the product definition activities. Aspen has established relationships with representatives from the various user groups within the first responder communities. Through collaboration with these users we plan to clearly define the user requirements and translate them into engineering of an optimized cooling solution. We will build upon the success of the Phase I program and address issues in the prototype developed in that effort. The final output of this Phase II program will be a personal cooling solution optimized for the first responder and ready for transfer to production.